Steve Northcutt wrote:
>So I understand and agree - candidates that meet the CVE vulnerbility
>definition and meet all the criteria may be included in the CVE. I don't
>understand why exposures that meet the rest of the conditions should end up
>included in the CVE. It seems like this presents a way for these exposure
>candidates such as finger, to become members of the class Vulnerabilities,
>when in fact they should be members of a class Exposures. Hey! We could
>start the CEE :) S.
Note that we have proposed changing the name of the CVE to be "Common
Vulnerabilities and Exposures." This idea has been accepted offline
by most Board members I've spoken to. The trick will be for us Board
members to use this new name, which effectively states that this list
of "problems" will include both classes.
Any discussions about how to discriminate between these two classes
should be postponed until sometime after the big splash at SANS. How
we discriminate between vulnerabilities and exposures, and what form
that information might take, is future work. The current work is to
iron out the details of the Interoperability Demo and to approve as
many draft CVE entries as is feasible (as associated content decisions
are resolved), so that the CVE has a credible introduction to the
public.
- Steve